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Abstract —The presence of a tight integration between the 
discrete control (the “cyber”) and the analog environment (the 
“physical”)—via sensors and actuators over wired or wire¬ 
less communication networks—is the defining feature of cyber¬ 
physical systems. Hence, the functional correctness of a cyber¬ 
physical system is crucially dependent not only on the dynamics 
of the analog physical environment, but also on the decisions 
taken by the discrete control that alter the dynamics of the 
environment. The framework of Hybrid automata —introduced 
by Alur, Courcoubetis, Henzinger, and Ho—provides a formal 
modeling and specification environment to analyze the interaction 
between the discrete and continuous parts of a cyber-physical 
system. Hybrid automata can be considered as generalizations of 
finite state automata augmented with a finite set of real-valued 
variables whose dynamics in each state is governed by a system of 
ordinary differential equations. Moreover, the discrete transitions 
of hybrid automata are guarded by constraints over the values 
of these real-valued variables, and enable discontinuous jumps 
in the evolution of these variables. Considering the richness of 
the dynamics in a hybrid automaton, it is perhaps not surprising 
that the fundamental verification questions, like reachability and 
schedulability, for the general model are undecidable. In this 
article we present a review of hybrid automata as modeling and 
verification framework for cyber-physicai systems, and survey 
some of the key results related to practical verification questions 
related to hybrid automata. 

I. Introduction 

The term “cyber-physical systems” refers to any network 
of digital and analog systems whose performance crucially 
depends on both the continuous dynamics of the analog parts 
and the real-time switching decisions made by the digital 
system. A typical cyber-physical system may consist of several 
processors connected with a set of physical systems via sensors 
and actuators over wired or wireless communication networks. 
Such systems are increasingly playing safety-critical role in 
modern life, where a fault in their design can be catastrophic. 

Modern cars are an important paradigmatic example of such 
safety-critical cyber-physical systems. A modern premium 
car typically has 70 to 100 interconnected electronic control 
units (ECUs) with dozens of sensors l39l performing various 
functions EH like air-bag control, cruise control, electronic 
stability control, antilock brakes, engine ignition, windshield- 
wiper control, engine control, and collision-avoidance system. 
Many of these ECUs are connected with analog environment 
via sensors and actuators, and are expected to perform their 
operations within hard time limits. For instance, the air-bag 


ECU needs to respond within 20-30 millisecond after the 
impact sensor connected to it detects a severe impact. As the 
number of ECUs in a typical car is increasing and performing 
more autonomously, it is becoming increasingly difficult to 
ensure their correctness. The severity of the problem can 
perhaps be best realized by looking into the growing list 
of recalls m by leading car companies due to software- 
related problems. Some prominent examples include Toyota’s 
recall of 160,000 of its 2004/05 Prius models because of a 
software problem causing the car to suddenly stall. Jaguar’s 
2011 recall of nearly 18,000 X-type cars due to a software bug 
resulting in driver’s inability in turning off the cruise control, 
and Volkswagen’s 2011 recall of about 4000 of its 2008 Passats 
models for engine-control module software problem. The list is 
long and underscores the challenges in designing and verifying 
safety-critical cyber-physical systems. Similar examples can 
also be cited for the cyber-physical system from other domains 
such as avionics, implantable medical devices, transportation 
networks, and energy sector. 

Formal modeling and verification of systems is the set of 
techniques that employ rigorous mathematical reasoning to 
analyze properties of a system. In this article we concen¬ 
trate on a celebrated El. El formal verification framework 
known as model checking ED- Model Checking—pioneered 
by Clarke, Sifakis and Emerson 12 —is a widely used auto¬ 
mated technique that, given a formal description of a system 
and a property, systematically checks whether this property 
holds for a given state of the system model. The three key 
steps of this framework are the following: 

1) formal modeling: modeling a system under consideration 
using mathematically precise syntax that approximate a 
given system to a desired level of abstraction; 

2) formal specification: specify the properties of the system 
using a mathematically precise specification language 
(typically in formal logic); and 

3) formal analysis: analyze the formal model with respect 
to the formal specification and report counter-example 
in case the system model violates the specification. 

The success of the model checking framework in formal verifi¬ 
cation of systems is largely due to it being highly automatic—a 
push-button technology j47l —in comparison to other compet¬ 
ing approaches like theorem proving. The counterexamples 
generated in the model-checking process often are used to au- 
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tomatically refine—known as counterexample-guided abstrac¬ 
tion refinement (CEGAR) (49) , (48) framework—the model 
and/or the property and the entire procedure can be repeated 
and thus removing the need of a very accurate initial model 
or specification. 

Early research on formal modeling and verification of 
systems concentrated on simplified models of the systems 
as finite state-transition graphs. Since these models are finite 
in nature, it is—in theory—possible to exhaustively explore 
the state space of the system to verify the properties of 
interest. However, the biggest challenge in model-checking of 
finite state-transition graphs is so-called state-space explosion 
problem ED characterizing the exponential blowup in the 
number of states in the explicit representation of the system 
where the system is naturally represented succinctly using 
state variables, or as a composition of a network of inter¬ 
acting finite state-transition graphs. In general, the state-space 
explosion problem renders the explicit exhaustive exploration 
of the system intractable. However, a number of techniques 
have been proposed to overcome the state-space explosion 
problem—including symmetry reduction (46) . partial-order 
reduction (85) . symbolic model checking (80) and bounded 
model checking 11291 . [30j—that has culminated into efficient 
and mature tool support including SPIN (92) and NuSMV (82) 
for finite state model-checking. Examples of the use of finite- 
state model-checking in industry include the verification of 
hardware circuits (67l . communication 031 and security J78|, 
m protocols, and software device drivers (23) . 

These finite state-transition graphs, however, often do not 
satisfactorily model cyber-physical systems as they disregard 
the continuous dynamics of the physical environment. Alur 
and Dill IflOl were the first one to propose a formal model, 
known as timed automata, combining finite state-transition 
graphs with a finite set of real-valued variables that evolve as 
time progresses while the system occupies a state. In a timed 
automaton the real-valued variables—called clocks—simulate 
perfect clocks as they evolve with a uniform constant speed 
(rate) and hence can model asynchronous real-time systems 
interacting with a continuous physical environment. The clock 
variables can be used to constrain the evolution of the system 
by guarding the transitions of the graph, and can also be 
reseted at the time of taking a transition to remember the 
time since that transition. These capabilities make timed au¬ 
tomata quite expressive formalism to define real-time systems. 
Moreover, the decidability of key verification problems like 
reachability and schedulability m and availability of mature 
verification tools—like UPPAAL (27), (96) , Kronos (66), and 
RED (89l —make timed automata an appealing tool for real¬ 
time system verification. 

Alur, Courcoubetis, Henzinger, and Ho generalized the 
timed automata to hybrid automata 0 to include real-valued 
variables with arbitrary dynamics specified using ordinary 

1 The concept of decidability is a central one in computer science and it 
characterizes the set of problems for which one can write computer programs 
that always terminate with a correct answer. The problems for which it is not 
possible to write such a program are known as undecidable problems. A most 
famous undecidable problem is the halting problem (similar to reachability 
problem) for the configurations of Turing machines (an abstract model of 
computation capturing the notion of algorithmic computation). 


differential equations. Considering the richness of dynamics 
of a hybrid automata, it is perhaps not surprising that the 
fundamental verification questions like reachability are un¬ 
decidable for hybrid automata. A number of subclasses of 
hybrid automata has been proposed with decidable verification 
problems and some of the algorithms have been implemented 
as part of tools like HyTech (60) and PHAVer (86). 

Timed and hybrid automata provide an intuitive and seman¬ 
tically unambiguous way to model cyber-physical systems, and 
a number of case-studies (95), S3), GU, ED, (Ml, ED, USD 
demonstrate their application for the analysis of cyber-physical 
systems. In this article we aim to provide a general intro¬ 
duction to verification using hybrid automata as we focus on 
model-checking classical LTL logic (77) over hybrid automata. 
To keep the discussion simple we do not cover other logics, 
for instance, computation tree logic (CTL, CTL*) (77), (50l . 
modal /i-calculus (53), and real-time and hybrid extensions of 
these logics (El including metric temporal logics (MTL (65) . 
(83l ) and duration calculus (DC) (43). 

The goal of this article is to introduce key concepts for 
cyber-physical systems modeling and verification using hybrid 
automata with a focus on LTL model-checking. In order to 
better focus our attention, we will not cover several useful 
extensions of hybrid automata that capture certain natural 
aspects of modeling hybrid systems, including 

— game-theoretic extensions ED, G3, E2,0, ED, (32) 
that allow the model to distinguish between controllable 
and uncontrollable non-determinism; 

— probabilistic extensions (7lft , (25) . (68) . (6) , (36) . (75) 
that permit modeling of stochastic behavior arising due 
to, e.g., faulty or unreliable sensors or actuators, uncer¬ 
tainty in timing delays, and performance characteristics 
of (third-party) components; and 

— priced extensions l73l . (33) . (88) . (28) . OP that permit 
modeling of resource consumption and payoffs associ¬ 
ated with decisions. 

We also restrict our attention to theoretical results regarding 
decidability of LTL model-checking problems, and do not 
cover data structures and algorithms (57) . (54) . (27) for 
efficient implementation of these results. 

We begin (Section [TT)» this survey by introducing two for¬ 
malisms to model discrete and continuous dynamical systems, 
and then we present hybrid automata model that combines fea¬ 
tures from these two models. SectionHIIlintroduces syntax and 
semantics of linear temporal logic (LTL) followed by a formal 
definition of corresponding model-checking problem over a 
hybrid automata, and using two-counter Minsky machines (811 
we prove the in general LTL model-checking over hybrid 
automata is undecidable. In this section, we also introduce 
the idea of state-space reduction using a well-established 
technique called quotienting which we later exploit to show 
decidability of model checking problem for some variants 
of hybrid automata. We conclude the survey by discussing 
(Section Hv) three key subclasses of hybrid automata—timed 
automata, (initialized) rectangular hybrid automata, and (two 
dimensional) piecewise-constant derivative systems—with de¬ 
cidable model checking problem. 
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II. Hybrid Automata 

A dynamical system is simply a system whose “state” 
evolves with “time” governed by a fixed set of rules or 
“dynamics”. The state of a dynamical system is specified as 
valuations of the variables of interest in the system. Depending 
upon the nature of variables (discrete or continuous) and 
the notion of time (discrete or continuous) the dynamics of 
variables can be specified by differential equations or discrete 
assignments. For the purpose of this paper, we classify the 
dynamical systems into the following three broad classes: 
i) discrete systems where both the notion of time and the 
variables are discrete, ii) continuous systems where the notion 
of time is continuous, while the variables are continuous, 
and iii) hybrid systems where some variables are continuous 
and some are discrete, and although the notion of time is 
continuous, special dynamic-changing events can happen at 
discrete instants. Notice that both discrete and continuous 
systems can be considered as subclasses of hybrid systems. 

On an abstract level any dynamical system can simply be 
represented as a graph whose nodes represent the states and 
edges represent transition between the states. Formally, a state 
transition graph can be defined in the following manner. 

Definition 1 (State Transition Graphs): A state transition 
graph is a tuple T = ( S, So , E, A) where: 

— S is a (potentially infinite) set of states', 

— Sq C S is the set of initial states', 

— E is a (potentially infinite) set of actions', and 

— ACSxExSis the transition relation. 

We say that a state transition graph T is finite (countable), if 
the sets S and E are finite (countable). 

Given an action a £ E and a state s we write PoST(s,a) for 
the set of states that are reachable from s on a and Post(s) 
for the states reachable in one step from s, i.e. 

POST(s,a) = {s' : (s,a, s') £ A} 

Post(s) = (J Post(s, a). 

A run—an execution or a trajectory—of a dynamical system 
modeled as a state transition graph T is a (finite or infinite) 
alternating sequence of states and actions that begins with an 
initial state and all consecutive states are connected with their 
predecessor via the transition relation. Formally, a finite run is 
a sequence (s 0 , «t, si, 02 , S 2 ,..., s n ) such that So £ Sq and 
for all 0 < * < n we have that Sj+i £ PoST(si,cu+i). An 
infinite run is defined analogously. 

Example 1: A graphical description of a state transition 
graph depicting a mod-4 counter with pause is shown in 
Figure Q] We represent a state using a rounded rectangle and 
a transition using a labeled edge between participating states. 
An initial state is marked using an incoming arrow to that state 
labeled “start”. An example of a run is the finite sequence: 

((count, 0), tick, (count, 1), pause, (pause, 1), tick, 

(pause, 1), on, (count, 1), tick, (count, 2)). 

A state transition graph is a feasible way to represent and 
computationally analyze dynamical systems with finitely many 
states. However, to enable computational analysis of a general 
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Fig. 1. State transition graph for a mod-4 counter. 


infinite state dynamical system we need a Unitary way to 
represent a potentially infinite space of states. We begin this 
section by introducing concepts and notation used throughout 
this article, followed by discussing such syntactical models 
to represent purely discrete and purely continuous dynamical 
system. After introducing these models we present hybrid 
automata capable of modeling hybrid dynamical systems. 


Variables and Predicates 

Let R be the set of real numbers, R>o be the set of non¬ 
negative real numbers, and Z be the set of integers. 

Let A be a set of real-valued variables. A valuation on A' 
is a function v : X —>R and we write V{X) for the set of 
valuations on X. Abusing notation, we also treat a valuation 
v as a point in R" that is equipped with the standard Euclidean 
norm ||-|| where n is the cardinality of A. 

We define a predicate over a set A as a subset of RI a L 
For efficient computer-readable representation of predicates 
we often define them using non-linear algebraic equations 
involving A. We write pred(A) for the set of predicates over 
X. For a predicate n £ pred(A) we write [7r] for the set of 
valuations in Rl A satisfying the equation n. We write T for 
the predicate that is true for all valuations, while _L for the 
predicate which is false for all the valuations. 

Example 2: An example of a predicate over the variables 9 
and 9 is 

m£9 = —mgsm(9), 

characterizing the motion of an idealized pendulum (Figure [3} 
where 9 is the angle the pendulum forms with its rest position, 
9 is second derivative of 9, m is the mass of the pendulum, g is 
the gravitational constant, and £ is the length of the pendulum. 

We say that a predicate P is polyhedral if it is defined as 
the conjunction of a finite set of linear constraints of the form 
a\X\ + ■ ■ ■ + a n x n xi k, where k £ Z, for all 1 < i < n 
we have that a* £ £ X, and xi£ {<,<,=,>,>}. An 

example of a polyhedral predicate over the set {x, y, x} is 
2a; + 3y — 9z < 5. We define an octagonal predicate as the 
conjunction of a finite set of linear constraints over A of the 
form ±x±y ix k or x ix k, where k £ R, a;, y £ A. Similarly 
a rectangular predicate is defined as the conjunction of a finite 
set of linear constraints over A' of the form x ixi k, where 
k £ R, and x £ A'. 
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A. Discrete Dynamical Systems 

Discrete dynamical systems can be conveniently modeled 
as extended finite state machines having finitely many modes 
(or modes) and transitions between these modes. The values of 
variables remain unchanged while the system is in some mode, 
and changes only when a transition takes place where they can 
“jump” to new values assigned by the transition. These jumps 
are specified using predicates over the set XVJX' that relates 
the current values of variables of system, given as the set X, to 
the values in the next time-step, given as the set X' of primed- 
versions of variables in X. Transitions are often guarded by 
predicates over variables specifying the enabledness condition 
of the transition. Starting from some initial valuation to the 
variables, a system modeled using an extended finite state 
machine evolves in discrete time-steps. At each discrete step 
the system can take any enabled transition, i.e. satisfied by the 
current variable valuation, and after executing the transition 
the valuation of the variables is changed according to the 
jump condition. The system continues evolving in this fashion 
forever. An extended finite state machine is formally defined 
as the following. 

Definition 2 (Extended Finite State Machines: Syntax): 
An extended finite state machine is a tuple M = 
(M, Mo, E, X, A, I, Vo) such that: 

— M is a finite set of control modes including a distin¬ 
guished initial set of control modes Mq C M, 

— E is a finite set of actions, 

— X is a finite set of real-valued variable, 

— AC M x pred(A) x E x pred(A U X') x M is the 
transition relation, 

— I : M —> pred(A) is the mode-invariant function, and 

— Vo £ pred(X) is the set of initial valuations. 

For a transition S = (to, g, a,j, to') e Awe refer to m £ M 
as its source mode, g £ pred(X) as its guard, a £ A as its 
action, j £ pred(XUX') as its jump constraint, and m' £ M 
as the target mode. 

A configuration of an extended finite state machine is a 
tuple (to, v) where to is a control mode and u is a valuation 
of variables in X. The execution of an extended finite state 
machine begins in a configuration (mo, vq) such that the 
control mode too £ Mo is in the set of initial control modes 
and the valuation vq £ Vo satisfies the invariant of mode too, 
i.e. vq £ [[/(mo)]. At each discrete time-step the system exe¬ 
cutes a transition (m, g , a, j , to') that is enabled in the current 
configuration (to, v), i.e., v £ [g], and the configuration of the 

x<3, tick, x'=x + 1 T, on, x'=x T, tick, x'=x 



system jumps to a new configuration (to', z/) while respecting 
the jump constraints, i.e. (v, i/) £ [j] as well as the invariant 
condition of the resulting mode v' £ [/(to')]. The system 
continues its execution from the resulting configuration in the 
similar fashion. Hence, we can define the semantics of an 
extended finite state machine as a state transition graph in the 
following manner. 

Definition 3 (Extended Finite State Machine: Semantics): 
The semantics of an extended finite state machine AA = 
(M, Mo, E, X, A, I, Vo) is given as a state transition graph 
T m = ( S M ,S^,T, M ,A M ) where: 

— S M C (M x Rl x l) is the set of configurations of AA 
such that for all (m, v) £ S M we have that v £ [/(to)]; 

— Sq 4 C S m such that (to, v) £ S M if m £ Mq and 
v £ Vo; 

— = E is the set of labels; 

— X M C S m x E m x S M is the set of transitions such that 
((m, v), a, (to', z/)) £ A M if there exists a transition 
S = (m, g, a, j, to') £ A such that the current valuation 
v satisfies the guard of <5, i.e. v £ [p]; the pair of current 
and next valuations (z/, z/) satisfies the jump constraint 
of S, i.e. (zz, z/) £ [j]; and the next valuation satisfies 
the invariant of the target mode of S, i.e. v' £ [/(to')]. 

Let us consider an example of the syntax and semantics of 
an extended finite state machine. 

Example 3 (Modulo-4 counter): Let us consider a modulo- 
4 counter with reset and pause functionality shown in 
Figure [2] This extended finite state machine AA = 
(M, Mo, E, X, A, 7, Vo) has two control modes M = 
{count, pause} with count being the initial mode. The variable 
x is the only variable, while the set of action is E = 
{tick, on, pause} where tick, on, and pause stand for clock- 
tick, start-counting, and pause-counting actions, respectively. 
While drawing an extended finite state machine, we depict 
modes by rounded rectangles and transitions by arrows con¬ 
necting the modes labeled by a triplet ( g,a,j ) showing the 
guard, the action, and the jump predicate of the transition. 
For example the transition (count, x — 3, t, x' = 0, count) 
is shown in the Figure [2] as a self-loop labeled with (x = 
1 ,t,x' = 0) on the mode labeled count. It is straightforward 
to see that the extended finite state machine in Figure [2] models 
a modulo-4 counter with reset and pause. The corresponding 
state transition graph is shown in the Figure Q] 

In the rest of the article, to minimize clutter, we will omit the 
guard if it is the predicate T, and we omit the jump predicates 
specifying that the value of a variable remains unchanged, i.e. 
predicates of the form x' = x. 

B. Continuous Dynamical Systems 

For the purpose of this article, a continuous dynamical 
system is a finite set of continuous variables along with a set 
of ordinary differential equations characterizing the dynamics 
or the flow of these variables as a function of time. We 
represent the flow of a continuous dynamical system using 
a flow function F : —>• RJ A I characterizing the system 

of ordinary differential equations: 

X = F(X) 


Fig. 2. An EFSM description of a mod-4 counter with reset and pause. 
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Fig. 3. An idealized pendulum with length t and mass m. 

where, following Newton’s dot notation for differentiation, X 
represents the set of first-order derivatives of the variables in 
the set X. Information about the higher-order derivatives can 
be represented using only first-order derivatives introducing 
auxiliary variables. For example the second-order differential 
equation 9 + (g/t) sin(0) = 0 can be written as a system of 
first-order differential equations 9 = y,y = —(g/t) sin(0). 
Formally, a continuous dynamical system is defined in the 
following manner. 

Definition 4 (Continuous Dynamical System): A continuous 
dynamical system is a tuple M = (X,F,v o) such that 

— X is a finite set of real-valued variable, 

— F : —> Rl A l is the flow function characterizing the 

the set of ordinary differential equation X = F(X), and 

— vq G Rl A l is the initial valuation. 

A run of a continuous dynamical system A4=(X, F, uq) 
is given as a solution to the system of differential equations 
CD with initial valuation vq. Let a differentiable function 
/ : R>o—>R^ be a solution to fl}, that provides the valu¬ 
ations of the variables as a function of time, such that: 

/( 0 ) = 

j(t) = F(f(t)) for every t G R> 0 , 

where / : R>o—>-R|X| is the time derivative of the function /. 
We call such a function / a run of the continuous dynamical 
system AL Since, in general, a solution of (HI) may not exist 
or may not be unique, a run of a continuous dynamical system 
may not exist or may not be unique f74). To ensure the 
existence and the uniqueness of the run we enforce Lipschitz- 
continuityll assumption on F. The following result states the 
existence and uniqueness of the set of ordinary differential 
equations Cl under Lipschitz-continuity assumption. 

Theorem 1 (Picard-Lindelof Theorem l\90]l): If a function 
F : Rl A I —> Rl- y l is Lipschitz-continuous then the differential 
equation X=F(X) with initial valuation z/oGRI a has a 
unique solution / : R>o—>R^ for all i/ 0 GRI a L 

In addition, Lipschitz-continuity offers the following advan¬ 
tage while numerically simulating an approximate solution to 
the differential equations ®. 

2 We say that a function F : M n —y R n is Lipschitz-continuous if there 
exists a constant K> 0, called the Lipschitz constant, such that for all x,y G 
R n we have that ||F(x) — F(y)|| < K\\x — y ||. 



(b) 

Fig. 4. The variables 6 (angle displacement) and y (angular velocity) are 
plotted with respect to the time for a pendulum with t = 1 meter with 
0q — 5 degrees. 

Theorem 2 (Stability wrt initial valuation E4\l): Let F 
be a Lipschitz-continuous function with constant K> 0 and 
let /:R>o—)-Rl A ’l and / 7 :R>o—►R^ be solutions to the dif¬ 
ferential equation X=F(X) with initial valuation izoGR^ 
and i/qGR^I, respectively. Then, for all fGR>o we have that 

\m-rm < \\v-v 0 \\e K \ 

This theorem implies that, under Lipschitz-continuous as¬ 
sumption on the flow function F, any two runs whose initial 
valuation is close to one-another remain close as the time 
progresses. Since it is not always possible to analytically solve 
differential equations, this property permits us to numerically 
simulate the behaviour of continuous dynamical system using 
approximation methods, e.g. Euler’s method or Runge-Kutta 
method, that are readily available in tools such as Matlab |79l 
and Mathematica J98). 

Example 4 (Simple Pendulum): Consider a simple pendulum 
shown in Figure [3] and its the motion equations: 

Q = V, 

y = -(g/() sin(0), 

with initial valuations (9,y) = (6>o, 0). To analytically solve 
these equations let us assume small enough angular displace¬ 
ment 6 and sin(6 | ) « 6. Now the equations simplify to 

f) = y and y = -(g/t)B. 

Hence our continuous dynamical system is Ad = (X,F,u o) 
where X = {8,y}, F is such that F(&) = y and F(y ) = 
— (g/t)9 and vq = ($o>0). The solution for these differential 
equations is 

8(t) = Acos(Kt) + Bsm(Kt) 
y(t) = —AKsm(Kt) + BKcos(Kt), 

where K = \fgjt. Substituting 0(0) = do and y( 0) = 0 from 
the initial valuation, we get that A = 0q and B = 0. Hence the 
unique run of the pendulum system can be given as the func¬ 
tion / : R>o -A- {9, y} as t i-> (8o cos(Kt), — 9qK sin(Kt)). 
Figure |4] shows the change in valuations of the variables 9 and 
y as a function of time. 
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Fig. 5. Runs of discrete, continuous, and hybrid systems. 


C. Hybrid Dynamical Systems 

In the previous two subsections we discussed modeling 
of purely discrete and purely continuous dynamical systems. 
We saw that in a discrete dynamical system the state of the 
system changes during a discrete transition where it “jumps” 
(see Figure 0 to the new value governed by the transition 
relation, while in a continuous system the state of the system 
continuously “flows” (see Figure [5} in a fashion governed 
by ordinary differential equations. Hybrid systems share their 
properties with both discrete as well as continuous systems, 
as their state progresses with time in both discrete jumps as 
well as continuous flows. In this section we present hybrid 
automata, a combination of extended finite state machines and 
continuous dynamical systems, where in every control mode 
the dynamics of the variables of the system can be specified 
using ordinary differential equations. 

Definition 5 (Hybrid Automata: Syntax): A hybrid automa¬ 
ton is a tuple % = (M, Mo, E, X , A, /, F, Vo) where: 

— M is a finite set of control modes including a distin¬ 
guished initial set of control modes Mo C M, 

— E is a finite set of actions, 

— X is a finite set of real-valued variable, 

— AC M x pred(X) x E x pred(A U X') x M is the 
transition relation, 

— I : M —> pred(A) is the mode-invariant function, 

— F : M —> (Rl A 'l —> RI a I) is the mode-dependent flow 
function characterizing the flow for each mode m £ M 
as the set of ODEs X = F(m)(X), and 

— Vo £ pred(X) is the set of initial valuations. 

To ensure existence of unique solutions of the ODEs in flow 
functions, we assume that for each mode m £ M the flow 
function F(m) is Lipschitz-continuous. 

lust like in an extended finite state machine, a configuration 
of a hybrid automaton is a tuple (m, v) where m £ M is a 
mode and v C RI x is a variable valuation. For a Lipschitz- 
continuous flow function F : M —»• (R A —> K) a I), a valuation 
v £ Rl- Y l, a mode m £ M, and a time delay t £ R>o we 
define (i/©F( m )0 for the unique valuation f(t ) where / is the 
unique run of the continuous dynamical system (A, F(m), v). 
For a jump predicate j £ predfX U X') and valuation v 
we define v[j\ for the set of valuations v' £ R> 0 such that 

(", V) e j- 


The execution of a hybrid automaton begins in an initial 
configuration (too, vq) where too £ Mo is an initial mode and 
vq £ Vo is an initial valuation satisfying v$ £ [/(too)]. The 
system stays in a mode for some time, say t\ £ R>o, and 
while the system stays in a control mode to the valuation of 
the variables changes according to ODE specified by the flow 
F(m) of the corresponding mode. After spending t\ £ R>o 
time in mode mo an enabled transition (too, g, a , j, mi) is non- 
deterministically chosen and executed. Notice that we say that 
a transition ( m 0 ,g,a,j,mi ) is enabled if (i/o®F(m 0 )*i) e Iff] 
and all the intermediate valuations that system passes through 
from i/o to (i/o®F(m 0 )^i) satisfy the invariant of the mode too, 
i.e. for all t £ [0,ti] we have that (z/o©F(m 0 )^) e [/(mo)]. 
After executing the transition (too, g, a,j, mi) the state of 
the system jumps to a new configuration (mi,i/i) such that 
vi S [/(mi)] and £ (i/o©F(m 0 )ii)[j]. The system 
continues its operation in a similar manner from the resulting 
configuration (mi, v\). We can formalize this semantics using 
a (uncountably infinite) state transition graph. 

Definition 6 (Hybrid Automata: Semantics): The semantics 
of a hybrid automaton H=(M, Mq, E, X , A, /, F, Vo) is given 
as a state transition graph T n =(S H , S™, E w , A H ) where: 

- S H C (MxRl A l) is the set of configurations of 7/ such 
that for all (to, v) £ S n we have that v £ [/(to)]; 

— Sq 1 C S h s.t. (to, v) £ S^ 1 if to £ M 0 and u £ Vo; 

- E« = M>o x E is the set of labels; 

— C S n x E w x S n is the set of transitions such that 
((to, i/), (f, a), (to', i/')) £ A H if there exists a transition 
5 = ( m,g,a,j,m ') £ A such that 

- (v® F (m)t) £ Iff]; 

- {v®F(m)r) £ [/(to)] for all r £ [0, /]; 

- v' £ {v® F (m)t)[j]\ and 

- v' £ [/(m')]. 

Example 5 (A bouncing ball): In Figure [6] we model a 
bouncing ball using a hybrid automaton with one control mode 
to and two variables: the variable x\, representing the vertical 
position of the ball, and the variable X 2 , representing the 
vertical velocity of the ball. 

The differential equations governing the free fall of the ball 
can be given using Newton’s law of motion as xi = X 2 and 
x -2 = —ff. The valuations of the variables flow according to 
these equations until the ball comes in the contact with ground, 
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*i=0 A £2<0, 

impact 

x' x =x\ A x 2 = — cx 2 



Fig. 6. A hybrid automaton modeling the dynamics of a bouncing ball 

and at that time it reverses the direction of its velocity, while 
losing some energy proportional to its restitution coefficient 
c, i.e. after the impact we have x\ = x\ and x' 2 = —cx 2 . 
Observe that the bouncing ball system is a hybrid system since 
its dynamics involve both flows and jumps. The continuous 
dynamics of the system is captured using flow function of the 
unique mode to, while the jump is modeled with the discrete 
transition labeled impact. For the starting valuation we assume 
X\ = t meters and x 2 = 0. Formally the hybrid automata II = 
(M, M 0 , E, X, A, I , F, Vo) models the bouncing ball where: 

— M = M 0 = {?7i 0 }, 

— E = {impact}, 

— X = {* 1 , 2 : 2 }, 

— A contains the following transition 

(to, *i=0 A x 2 <0, impact, x[=xi A x' 2 = — cx 2 ,m), 

— J(m) = *i>0, 

— F(m ) = *1 = *2 A x '2 = —g, and 

— Vb = {(^0)}. 

The transition diagram corresponding to this automaton is 
shown in Figure [6} a). The transition diagram of a hybrid au¬ 
tomaton follows the similar conventions as that of an extended 
finite state machine, with the exception of flow conditions. We 
write flow conditions of a mode inside the rounded rectangle 
representing the mode. 

Now let us explain the unique run of the system starting 
from the configuration (to, (£, 0)). The solution to ODE cor¬ 
responding to the flow function is 

*1 (t) = + Ct + D and x 2 {t) = —gt + C. (2) 

For the initial configuration is (to, (f, 0)) solving (0 we 
get C = 0 and D = i. Hence from (to, (£, 0)) system 
flows according to the equations X\ (t) = — \gt 2 + i and 
*2 (t) = —gt- According to these equations the value of 
variable *1 continue to fall for the next t\ = y/2£/g time 
units when *1 becomes 0, and the transition impact becomes 
available and must be taken (since the invariant of the mode 
requires x\ to be non-negative). Immediately before taking the 
transition the configuration is (0, —gt\). Using our notations 
we can write it as (0, —gt\) = (£, 0)®F(m)ti- 

After taking the transition impact this valuation changes 
according to the jump function x\ =x-\ A x 2 = — cx 2 re¬ 
sulting in the new valuation (0, cgti). Again, in our no¬ 



h 0 2 4 6 8 

t (in seconds) 

Fig. 7. a run of the system where the initial vertical position is t = 10 meters 
and the coefficient of restitution c = 1. 

tation we write (0,cgt±) G (0, — gti)[x[=XiAx 2 =—'cx 2 ]. 
The run of the system, so far, can be written as 
((m, (f,0)),(fi, impact), (m,(0,cgfi))). Now from the con¬ 
figuration (m,(0,cgti)) the system can flow continuously 
according to F(m). Solving 0 for this initial valuation we get 
C = cgt\ and D = 0. Hence from (to, (0, cgti)) the system 
flows according to the equations *i(f) = —\gt 2 + cgt\t and 
x 2 (t) = —gt + cgti for the next t 2 = 2ct\ time units till it 
reaches the valuation x\ = 0 (the ball hits the ground again). 
At this point the resulting configuration will be (0, —cgti) 
and after the transition the configuration will be (0,c 2 gti). 
The system continues in this fashion forever and realizes the 
following infinite run of the system: 

((to, (f,0)), (fi, impact), (to, (0, cgti)), 

(2cfi,impact), (m, (0, c 2 gti)), 

(2c 2 fi, impact), (to, (0, c 3 gti )) 1 ...), (3) 

where ti = g. The first two transitions of the run for 
i = 10 and c = 1 are shown in Figure 0b). 

For a given run r = ((m 0 ,v 0 ), (ti,ai), {mi,vi ),...) of a 
hybrid automaton we define its time T(r) is defined as 

OO 

T (r ) =^t*. 

i-1 

We say that a run r time-diverging if T(r) = oo. For an ex¬ 
ample of a time-diverging run consider 0 for c = 1 as shown 
in the Figure 0b) where time between every consecutive 
transition is 2^/2 t/g. The infinite run in this example seems 
natural since we assume the restitution coefficient c = 1, and 
under this unrealistic situation we expect the ball to bounce 
indefinitely. However, given the generality of the model of 
hybrid automata the time divergence of a run is not always 
guaranteed. As an example consider again the bouncing ball 
system now with restitution coefficient 0 < c < 1. In this case 
the time of the run 0 is T(r) = fi(l + c)/(l — c) is finite 
for any 0 < c < 1. Runs that are not time-diverging, on an 
intuitive level, are not physically realizable since they execute 
infinitely many discrete transitions in a finite amount of time. 
Assuming the possibility of realizing infinitely many discrete 
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T-ijx ® 'Hj 2 ® 'Hm 1 


Fig. 8. Network of hybrid automata 'Hj 1 , 'Hj 1 , and Hmi corresponding to jobs j\ and J 2 , and a machine m\, and their product automata 'Hj 1 < S)'Hj 2 


actions in a finite time often lead to paradoxical situations, 
commonly known as Zeno’s paradoxes, and the runs that do 
not diverge also go by the name of Zeno runs. We call a hybrid 
automaton non-Zeno if it does not permit any Zeno run. We 
will later see that the ability of hybrid automata to model Zeno 
runs often cause difficulty in their analysis. 

D. Composition of a Network of Hybrid Automata 

While modeling a complex hybrid system using a hy¬ 
brid automata, it is often convenient to represent various 
components of the system as a network of hybrid automata 
C = {H 1 , H 2 , ..., 7f n } that communicate with each other 
using shared variables and action. Specifying a system as a 
composition of various subsystems offer two main advantages, 
namely abstraction and modularity. The first advantage (ab¬ 
straction) is that it allows the system designer to concentrate 
on the details of one subsystem at a time without getting 
overwhelmed by the complexity of the interaction of this 
subsystem with other. The second advantage (modularity) is 
that in a system designed in this fashion, it is easy to add, 
remove, and modify subsystems. The semantics of such a 
network can also be given as a single hybrid automaton H, 
called the product automaton of C, whose states are products 
of states of individual component automata. We define this 
construction as the following. 

Definition 7 (Composition): Let C = {H X ,H 2 ,... ,H n } be 
a network of hybrid automata where for each 1 < i < n 
let W be (M i ,Mk,Y, i ,X i ,A i ,I i ,F i ,Vj). For an action 
a £ U™ =1 E i we define E(a ) = {« : a £ IT}. The product 
automata Hi ® H -2 <8> • • ■ H n of C is defined as a hybrid 
automaton H = (M, M 0 , E, X, A, I, F, Vo) where 

- M = M 1 x M 2 x • • • M n , 

- M 0 = Ml x M 2 x • • • Mq, 

- E = E 1 U E 2 U ... E”, 

- I = I 1 UI 2 U...I", 


— AC(Mxpred(A)xExpred(AUA')xM) is defined s.t. 

((mi,...,m n ),g,a,j, (ml,... ,m' n )) £ A if and only 
if for all i ^ E(a) we have that nii = m' and for all 
i £ E(a) there exists a transition such 

that g = /\ ieE (a)9i and 3 = ^ieE(a)ji- 

— I is such that I (mi ,..., m„) = A ™ =1 / l (mi); 

— F is such that F(mi,... ,m n )(x) = F l (mi)(x) if 
xGX 1 -, and 

— Vo is such that Vo = A" =1 Vq. 

As an example of modeling a system using a composition of a 
network of hybrid automata, we consider the job-shop schedul¬ 
ing problem modeled as a collection of hybrid automata. In 
the next section, we show that solving the job-shop problem 
reduces to solving a verification problem (reachability) over 
the resulting hybrid automata. 

Example 6 (Job-shop Scheduling Problem): The job-shop 
scheduling problem is an important optimization problem 
studied frequently in both computer science as well as in 
operations research. It consists of a finite set J = [ji.... ,j n } 
of jobs to be processed on a finite set M = {toi, ..., to^} of 
machines. There is a strict precedence requirement between 
the jobs given as a strict partial order ^ over the set of jobs 
in J. A mapping £ : I —>■ 2 M specifies the set of machines 
where a job can be executed, while the function <5 :1 —> K>o 
specify the time duration of a job. We can model the job- 
shop scheduling problem using a network of hybrid automata 
where each job and each machine is specified using a separate 
hybrid automaton. We have the following constraints on the 
job execution: i) a job j can be executed iff all jobs in its 
precedence, jf = {j' : j 1 -< j}, have terminated; 2) each 
machine to £ M can process atmost one job at a time; and 3) 
a job, once started, cannot be preempted. 

Modeling Jobs. We model each job ji £ J as a hybrid 
automaton II, with three modes U, (unscheduled), S, (sched¬ 
uled), and Fi (finished) where (/, being the initial mode. With 
each automaton Hi we associate two variables; variable Xi, 
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measuring the time while the job ji is being executed on a 
machine; and variable done, with values 0 and 1 denoting 
whether the job is unfinished (0) or finished (1). For each 
job ji the initial valuation of variable Xi is 0, while the 
valuation for done;=0. For each mode m £ {Ui, Si, Fi} we 
have that i 7 '(m)(donej) = 0 and F(Sf)(xi ) = 1 (to measure 
time spent during processing of the job) and F(Ui)(xi) = 0 
and F(Fi)(xi) = 0. The transition from a mode Ui to Si 
with action begin, is guarded by the condition that all of 
the preceding jobs according to -< has been finished, i.e. 
A/c:fc-;j(donefc = 1). The transition from a mode Si to Fj with 
action finish; is guarded by predicate done) = <5(j,) specifying 
that job ji takes exactly S(ji ) time units , and the jump of this 
transition includes done) = 1. 

Modeling Machines. We model each machine to; £ M using 
a hybrid automaton with no variable and k + 1 modes where 
k is the number of jobs that can be scheduled to this machine: 
there is a unique mode (idle), and for each job jj that 
can be scheduled to this machine, i.e. ra, £ ((ji) there is a 
mode Pij (corresponding to processing job j 3 £ j on machine 
to; £ M). For each mode P itJ there is a transition from /; 
to Pij with action begin^ and a transition from P, 3 to Li 
with action finish, denoting the scheduling and the finishing, 
respectively, of job j 3 on machine rn, . Since there are no 
variables associated with these automata the guard and the 
jump predicate of these transitions is simply T. 

As an example of such modeling, consider the job-shop 
problem with J = {ji,j 2 }, M = {mi}, C(ji) = CO 2 ) = mr, 
j 1 -< J 2 , and S(j 1 ) = 3 and S(j 2 ) = 4. Figure [8] shows hybrid 
automata 'H n , Li 32 , and Li ni[ corresponding to the jobs j 1 and 
j 2 , and the machine m\ respectively. This figure also shows the 
composition of these automata Lij 1 ®Hj 2 ®Li m 1 representing 
the hybrid automata corresponding to the complete job-shop 
problem. 

III. Formal Verification of Hybrid Systems 

Formal modeling and verification of systems is the set of 
techniques that employ rigorous mathematical reasoning to an¬ 
alyze properties of a system. In this article we concentrate on 
model checking—a formal verification framework introduced 
by Clarke, Sifakis and Emerson 03) —that, given a formal 
description of a system and its specification, systematically 
verifies whether the specification holds for the system model. 
Since, by definition the states of a dynamical system changes 
with time, classical propositional logic is not sufficient to 
reason with temporal properties of such dynamical systems. 
Temporal logics extend propositional or predicate logics by 
modalities that are useful to capture the change of behaviour 
of a system over time. Manna and Pnueli f77l . JT] were the 
first one to propose and promote the use of temporal logic 
to specify properties of dynamical systems in the context of 
system verification. Linear temporal logic (LTL) [77], compu¬ 
tation tree logic (CTL) and its generalization CTL* lf77) . ||5()l , 
and modal /i-calculus |[53l are some of the popular temporal 
logics used for the system specification. Timed and weighted 
extensions of these logics e.g. metric temporal logics (MTL 
and MITL li83l ). duration calculus (DC) 03], and weighted 


logics E), 02 have also been proposed to specify more 
involved quantitative properties of hybrid dynamical systems. 

In this article we limit the discussion to simple qualitative 
properties of hybrid systems that broadly can be classified into 
the following two broad categories 136): 

— The reachability or guarantee properties, that ask 
whether the system can reach a configuration satisfying 
certain property pi (symbolically, we write ()p and we 
say eventually p ); and 

— The safety properties that ask whether the system can 
stay forever in configurations satisfying certain property 
pi (symbolically, we write Dp and we say always or 
globally p). 

The linear temporal logic, LTL, provides a formal language 
to specify more involved nesting of such properties with ease. 
We begin this section (Section IIII-Ab by introducing Kripke 
structures that provide a way to mark states of the hybrid 
automata with properties of interest, and present the syntax and 
semantics of LTL that are interpreted over Kripke structures. 
In Section IIII-BI we formally introduce LTL model-checking 
problem for hybrid automata, and show that in general this 
problem is undecidable. On a positive note, in Section IIII-CI 
we show that LTL model-checking can be algorithmically 
solved for finite Kripke structures. Finally, in Section IIH-DI 
we introduce the notion of bisimulation, and show that the 
existence of a finite bisimulation implies the decidability of 
LTL model-checking problem. 

A. Hybrid Kripke Structures and Linear Temporal Logic 

The formal specification of the underlying system begins by 
identifying key properties of interests (called atomic proposi¬ 
tions) regarding the states of the system under verification. 
Kripke structures provide a way to label the states of state- 
transition graphs with such atomic propositions, and the linear 
temporal logic specifies properties of the sequence of the 
truth values of these propositions, called traces, for the runs 
of corresponding transition system. Hence, before we intro¬ 
duce linear temporal logic LTL we need to introduce Kripke 
structures and their corresponding hybrid extension, and the 
concept of traces. 

Definition 8 (Hybrid Kripke Structure): A Kripke Structure 
is a tuple (T, P, L) where: 

— T = (S, Sq, E, A) is a state transition graph, 

P is a finite set of atomic propositions, and 

— L : S —» 2 P is a labeling function that labels every state 
with a subset of P. 

Similarly, we define a Hybrid Kripke Structure as a tuple 
(Li,P,L) where: 

— Li = (M, Mo, E, X, A, I, F, Vo) is a hybrid automaton, 
P is a finite set of atomic propositions, and 

— L : M —7 2 P is a labeling function that labels every 
mode with a subset of P. 

Observe that the semantics of a hybrid Kripke structure is a 
Kripke structure. 

Let us fix a hybrid Kripke structure (Li , P, L) and its semantics 
Kripke structure ( \Li\, P, L) for the rest of this section. When 
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the set of propositions and labeling function is clear from the 
context, we use the terms state transition graph and Kripke 
structure, and the terms hybrid Kripke structure and hybrid 
automaton interchangeably. 

Given a hybrid Kripke structure (H,P,L) and an infinite 
run r = ((mo, v 0 ), (ti, ai), (mi, vf ),..., (m n , v n ),...} of H, 
we define a trace corresponding to r, denoted as Trace(r), 
as the sequence ( L(mo ), L(m\), £( 7712 ), ■ • ■ L(m n ),...}. Let 
Trace^H, P, L) be the set of traces of the Hybrid Kripke 
Structure H. For a trace a = (Po, Pi, ..., P n ,...) £ 

Trace(TL, P, L) we write <j[i\ = (Pi, Pj+i,...} for the suffix 
of the trace starting at the index i > 0. 

Now we are in position to define the syntax and semantics 
of linear temporal logic. 

Definition 9 (Linear Temporal Logic (Syntax)): The set of 
valid LTL formulas over a set P of atomic propositions can 
be inductively defined as the following: 

— T and _L are valid LTL formulas; 

— if p £ P then p is a valid LTL formula; 

— if 0 and ip are valid LTL formulas then so are -i<p, (pAip 
and 4> V ip\ 

— if 0 and if) are valid LTL formulas then so are Q)(p, (}(p, 
□</>, and (pUip. 

We often use <p =>• ip as a shorthand for —xp V ip. Before 
we define the semantics of LTL formula formally, let us give 
an informal description of the temporal operators O, 0, □, 
and U. LTL formulas are interpreted over traces of (Hybrid) 
Kripke structures. The formula Q)(p, read as next <j>, holds for 
a trace er = (P 0 , P 1; P 2 ,...} if ip holds for the trace cr[l]. 
The formula §<p, read as eventually </>, holds for a trace er = 
(Po, Pi, P 2 , ■ ■.} if there exists i > 0 such that the formula 
ip holds for the trace a[i]. The formula □</>, read as globally 
or always <p, holds for a trace 0 = (Po, Pi, P 2 , • ■ •) if for all 
* > 0 the formula ip holds for traces o[i]. Finally, the formula 
<pUip, read as <j> until ip, holds for a trace er = (Po, Pi, P 2 ,...) 
if there is an index i such that ip holds for the trace er[i], and 
for every index j before i the formula <f> holds for the trace 
o[j], i.e the formula <f> holds until formula ip holds. 

Definition 10 (Linear Temporal Logic (Semantics)): For a 
trace er = (P 0 , Pi, P 2 ,...} of a (Hybrid) Kripke structure we 
write er |= <p to say that the trace er satisfies the formula (p. 
The satisfaction of LTL formulas is defined as follows: 

— er \= T and er _L; 

— er |= p if p £ P 0 ; 

— er |= -1 <p if er </>; 

— er|=</>A^ifer|=</> and a \= ip\ 

— er |= (f> V ip if er |= <p or er |= lp\ 

~ er b if er[l] |= (p\ 

— er |= 0 <f> if there exists i > 0 such that o[i] |= <p\ 

— er |= U(j) if for all * > 0 we have that a[i\ \= (p\ and 

— er |= (pUip if there exists i > 0 such that er[z] |= ip, and 
for all 0 < j < i or cr\j ] |= </>. 

For a (hybrid) Kripke structure (' H , P, L), and an LTL formula 
(p we say that (TL,P,L) \= (p if for all er £ Trace(TL,P,L) 
we have that <7 \= <p. 

Lamport fV2\ observed that most of the system speci¬ 
fications can be classified in safety properties ( something 


will not happen) and liveness properties ( something must 
happen). Manna and Pnueli |[76) further refined the class of 
specifications starting from reachability and safety properties 
to introduce a hierarchy of temporal properties using nesting 
of LTL operators, for instance 

— The recurrence properties that ask whether the system 
can infinitely often visit configurations satisfying certain 
property pi (symbolically, we write d()p and we say 
infinitely often p); and 

— The persistence properties that ask whether the system 
visits configurations not satisfying a certain property p 
only finitely often? (symbolically, we write (>D/> and we 
say eventually always p). 

Some examples for expressing reachability, safety, and liveness 
properties using LTL are shown in the following example. 

Example 7: As an example let us write LTL specifications 
for an elevator serving k different floors. Let opi , //,; and reqi 
be atomic propositions representing the situations that “the 
door at floor i is open”, “ the lift is at floor i and is not 
moving” and “there is a request for the lift to move to the ith 
floor” respectively. The following are some specifications in 
English and their LTL counterparts: 

1) Reachability property : The lift will visit the ground floor 
sometime. 

<Pi = Oflo- 

2) Safety property : The door of the lift is never open at a 
floor if the lift is not present there. 

<p2 = □ ( f\(~ l fk => opi ) 

\i=0 

3) Recurrence property : The lift keeps coming back to the 
ground floor. 

cp 3 = n (-./z 0 => Oflo) a aofi 0 . 

4) Persistence property : Eventually always a requested 
floor will be eventually served. 

04 = On ( /\ (reqi => Ofh) 

\i= 0 

For a detailed overview of LTL for system specification, we 
refer the reader to ED, E2, Eo), E2. 

B. LTL Model Checking for Hybrid Automata 

LTL model-checking problem for hybrid automata can be 
formally stated in the following manner. 

Definition 11 (LTL Model-Checking): Given a system mod¬ 
eled as a (Hybrid) Kripke structure (H, P , L), and a specifi¬ 
cation written as an LTL formula <p, the LTL model-checking 
problem is to decide whether all traces of TL satisfy <p, i.e. 
(TL,P,L) \= (p. Moreover, if the system does not satisfy the 
property give a counterexample (run of the system) violating 
the property. 

Example 8: Consider the following Kripke structure T 
with set of atomic propositions { p , q}. We are depicting the 
labeling function by writing the set of propositions inside the 
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Fig. 9. Module simulating Z^: increment c, goto lj 


b 



Fig. 10. A Kripke structure T. 

states., and we omit other non-relevant details. Let us consider 
the LTL formulas </>i = (){p A ->q) and fa = □<? V ODp. 
Observe that T (f>i as is clear from the counterexample 
r = (too, a, mi, a, too, ...) as it never visits the configuration 
satisfying (p A ~<q) as is clear from its trace Trace (r) = 
{q}{p, ?} {<?} {p, q}- On the other hand, it is easy to verify 
that T satisfies fa as any run of T either never visits TO 2 (and 
in that case satisfies Oq, or it eventually visits m 2 and never 
leaves it (and thus satisfies ODp)- 

Example 9 (Job-Shop Scheduling Revisited): Consider the 
job-shop scheduling problem modeled as a network of hy¬ 
brid automata in Figure [8] Consider the atomic propositions 
j[ .finish and ^-finish that are true only in modes f j and 
F 2 . The counterexample produced in model-checking LTL 
property “■ (0(J 1 -finish A j' 2 .finish)) gives a valid schedule for 
the job-shop scheduling problem. 

Next, we show that LTL model-checking problem for hybrid 
Kripke structures is undecidable. To prove this result, we 
show a reduction from a well-known undecidable problem of 
reachability (halting) for two-counter Minsky machines ED. 

A Minsky machine A is a tuple (L, C) where: 
L = {To, fa, ■ ■ •, fa} is the set of instructions. There is a dis¬ 
tinguished terminal instruction fa called HALT. C = { 01 , 02 } 
is the set of two counters; the instructions L are one of the 
following types: 

1) (increment c) fa : c := c + 1; goto £^, 

2) (test-and-decrement c) fa : if (c > 0) then (c := c— 1; 
goto fa) else goto £ m , 

3) (Halt) fa : HALT, 
where c £ C, fa,fa,(. m £ L. 

A configuration of a Minsky machine is a tuple {£, c, d) 
where £ £ L is an instruction, and c, d are natural numbers 
that specify the value of counters c\ and C 2 , respectively. The 
initial configuration is (To,0,0). A run of a Minsky machine 
is a (finite or infinite) sequence of configurations {fa, fa,...) 
where fa is the initial configuration, and the relation between 
subsequent configurations is governed by transitions between 
respective instructions. The run is a finite sequence if and only 
if the last configuration is the terminal instruction fa. Note that 


a Minsky machine has exactly one run starting from the initial 
configuration. The halting problem for a Minsky machine asks 
whether its unique run ends at the terminal instruction fa. It 
is well known ([8JJ) that the halting problem for two-counter 
Minsky machines is undecidable. 

Theorem 3: The LTL model-checking problem for hybrid 
Kripke structures is undecidable. 

Proof. Given a two counter machine A, we construct a hybrid 
Kripke structure Pi and an LTL formula 0 such that 'PL } 0 
iff A halts. The modes of PL are labeled with the labels 
fa of instructions. There is a unique mode of Pi labeled 
with atomic proposition “HALT” which corresponds to the 
terminal instruction of A. The increment, decrement and 
test instructions are encoded by suitable modules in Pi. The 
variables of Pi are X = {x\,X 2 ,y, z, z\} with F{m) for all 
modes is defined as the following: 

xi = lAx 2 = lAy = lAz=lAzi=2. 

The initial mode is labeled by fa, the label of the first 
instruction. The values of the counters c, d are encoded as 
aq = T- and a ;2 fa . After the execution of each instruction, 
.i' i, a;2 will contain the current values of counters c, d encoded 
in the above form. For instance, if we have X\ = 22 = ^ 

before incrementing counter c, then at the end of simulating 
the increment instruction, we will have x-\ = rpfa-r and 
X2 = ^r- 

We illustrate here the case of the increment instruction fa : 
increment c and goto fa. The case for the decrement instruction 
is similar, and hence omitted. Mode fa is entered with y = 0, 
x\ = A- and X 2 = jx- On entering mode Ai. we have xi = 
l,y = 1 — ±,x 2 = ^ + (1 — £) or x 2 = 1 - ^ - t] if 
^j+? 7 =l, ? 7<1 — 7 ^ and z = 0. Mode Bi can be entered if 
X 2 , y < 1 and X\ > 1. Assume k > 0 units of time was spent 
at mode A,. This gives y = 1 - + k, x 2 = + (1 — + k 

(or 1 — 2 ? — r] + k, or 1 — 7/ if 1 — ^ — 77 + rfa = 1 , 1 / < k ), 
z = k, x 1 = 0,z\ = 0 on entering mode Bi. We can reach 
mode fa only if the values of z and zi are the same. Assume 
l units of time was spent at Bi. Then 2 = k + l,z\ = 21, 
x '2 = + (1 — 52 ) + k fax 1 = fay = 1 — + k + l. 
To satisfy the constraints z = Z\,y = 1, we have k = l and 
k + l = 2 k = A. giving xi = ^fr,X2 = jz,y = 0 at fa. 

The LTL formula <j> = Iq A 0 HALT will be satisfied by Pi 
iff A halts. This shows that LTL model checking of hybrid 
Kripke structures is undecidable. ■ 

C. LTL Model-Checking for Finite Kripke Structures 

As we discussed in previous section the LTL model¬ 
checking problem is undecidable for general hybrid automata. 
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However, for finite Kripke structures Wolper, Vardi, and 
Sistla |[99l developed an elegant automata-theoretic algorithm 
for solving the LTL model-checking problem. The algorithm 
exploits the connection between LTL formulas and a type 
of w-automata—automata that extend the theory of finite 
automata to infinite inputs—called Biichi automata [ 1401 . ||56l . 
The syntax for the Biichi automata specifies a finite state 
transition graph T along with a set F of accepting states, 
and the semantics of Biichi automata restricts the set of valid 
runs to the runs of T that visit F infinitely often. In gen¬ 
eral Biichi automata are closed under all Boolean operations 
including union, intersection, and complementation, however 
deterministic variant of Biichi automata is not closed under 
complementation. Emptiness checking for Biichi automata can 
be decided efficiently (linear in time) by analyzing strongly 
connected components of T. 

The LTL model-checking problem exploits the following 
connection between linear temporal logic and Biichi automata. 

Theorem 4 (LTL-to-Biichi Automata f99\D: For every LTL 
formula cj> we can effectively construct a finite (Biichi) automa¬ 
ton Acf, (of size exponential in 0 ) such that words recognized 
by Ac/, are precisely the set of traces that satisfy <f>. 

Based on this result, the LTL model checking for a finite 
Kripke structure 1C can be performed in the following manner: 

1) Construct a Biichi automaton A-,c/> corresponding to the 
negation of the LTL property. 

2) Construct the composition /CoA^c/, of the Kripke struc¬ 
ture K, with the Biichi automaton A^ 0 - 

3) If the Biichi automaton TL^A^c/, is empty, then return 
“TRUE” 

4) Else, return a lasso-shaped (a finite prefix followed by 
a cycle that contains an accepting state) infinite run 
accepted by TL^A-,,/, as a counter-example. 

The correctness of this algorithm follows from the observation 
that the set of traces for this composition lC®A^c/, characterize 
the set of traces that are generated by /C that do not satisfy <f>. 
Hence, the Kripke structure 1C satisfies the LTL property <j> if 
and only if TLCdA-.^ is empty. 

Theorem 5 (LTL model-Checking for Finite Structures 
LTL model checking problem for finite Kripke structures is 
decidable in PSPACE. 

LTL model-checking for finite Kripke structures is imple¬ 
mented by a number of mature tools, notably SPIN (92] and 
NuSMV ll82l . and has been applied to a number of practical 
case-studies ll92l . Il82l . 

D. Finite Bisimulation and Decidability 

In this section we introduce the concept of bisimulation 
relation between two Kripke structures, and show that for 
two bisimilar systems (systems having a bisimulation relation 
between their states) we have that both systems have the 
same set of traces, and hence precisely the same set of LTL 
formulas are satisfied by both of them. Using this idea, we 
show that if for a given hybrid Kripke structure TL there exists 
a bisimulation relation with some finite state Kripke structure 
1C, then the problem of LTL model-checking for 'H can be 


reduced to the decidable problem of LTL model-checking for 
finite Kripke structure 1C. 

We say that a Kripke structure 1C = ( T',P,L') can 
simulate a Kripke structure 1C = (T, P, L) if every step of /C 
can be matched (with respect to atomic propositions) by one 
or more steps of 1C. A Bisimulation equivalence denotes the 
presence of a mutual simulation between two structures 1C and 
1C. Formally, bisimulation relation in the following manner. 
Definition 12 (Bisimulation Relation): Let 1C = (T = 

(S,S 0 ,£,A),P,L) and 1C = (T = (S',S' 0 ,V,A'),P,L') 

be two Kripke structures. A bisimulation relation between 1C 
and 1C is a binary relation TZ C S x S’ such that: 

— every initial state of T is related to some initial state 
of T', and vice-versa, i.e. for every s £ So there exists 
s' G S' 0 such that (s, s') G 7 Z and for every s' G S' 0 
there exists a s G Sq such that (s, s') G TZ', 

— for every (s, s') G TZ the following holds: 

- L(s) = L'(s'), 

- every outgoing transition of s is matched with some 
outgoing transition of s', i.e. if t G Post(s) then 
there exists t' G Post(s') with (t,t') G TZ, and 

- every outgoing transition of s' is matched with some 
outgoing transition of s, i.e. if t! G POST(s') then 
there exists t G POST(s) with (t,t') G TZ. 

We say that T and T' (analogously, 1C and 1C) are bisimilar or 
bisimulation equivalent, and we write T ~ T', if there exists 
a bisimulation relation TZ C S x S '. 

The following Proposition follows from the definition of 
bisimulation and the semantics of LTL. 

Proposition 6: If T ~ T' then Trace(T) = Trace (T 7 )- 
Moreover, if T ~ T' then for every LTL formula 0 we have 
that T \= (f> if and only if T’ |= <j>. 

Proof. Let T ~ T'. Using a simple inductive argument, 
one can show that for every run a = (so, at, si, < 22 , ■..) 
of T there is a run r' = (sq, a[, a' 2 , ■ ■ ■) of T' such 

that L(si) = L'^s'f) for every * > 0. This implies that 
Trace(r) = Trace(r') and hence Trace(T) C Trace(T'). 
Similarly, we can show that Trace(T') C Trace(T). Hence 
it follows that T ~ T' implies Trace(T) = TraceifV). 
To prove the other part of the proposition, observe LTL 
formulae are interpreted over traces of structures, and since 
two bisimilar Kripke structures have the same set of traces, it 
follows that for every LTL formula 0 we have that T ~ T' 
implies that T |= <f> if and only if T' \= 4>. ■ 

This proposition shows that LTL model checking problem can 
be reduced to solving LTL model checking problem over a 
bisimilar Kripke structure. We next show how to extend this 
idea to define bisimulation over the states of a Kripke structure, 
and use it to produce a bisimilar Kripke structure with fewer 
states. 

Definition 13 (Bisimulation Relation on 1C): Let 1C = (T = 
(S, So, E, A), P, L) be a Kripke structure. A bisimulation on 
1C is a binary relation TZ C S x S such that for all (s, s') G TZ 
we have that: 

— L(s) = L(s')\ 

— if t G Post(s), then there exists an t' G POST(s') such 
that (f, t') G TZ', 
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— if t' G Post(s'), then there exists an t G Post(s) such 
that (t, t') G 1Z. 

It is easy to see that a bisimulation relation 1Z over the state 
space of K, is an equivalence relation. For a state s G S we 
write [s]k for the equivalence class of 1Z containing s. We say 
that states s, s' G S are bisimulation equivalent, and we write 
S ~T if there exists a bisimulation relation 1Z for T with 
(s, s') G 1Z. 

Given a Kripke structure T, we use a bisimulation relation 
1Z for reducing the state space of T using the following 
quotient construction. 

Definition 14 (Bisimulation Quotient): Given a Kripke 
structure K. = (T = (S', So, E, A), P, L) and a bisimula¬ 
tion relation 7 Z C S x S over 1C, the bisimulation quo¬ 
tient ICtz is defined as a Kripke structure ICn = CTr, = 
(Sr,S£,,E k , A r ),P,L k ) where: 

— the state space of Tr, is the quotient space of T, i.e. 
S-r. = {[s]k : s G S}; 

— the set of initial states is the set of 7v-equivalence classes 
of the initial states, i.e. S^ = {[s]^ : s G S 0 }; 

— S-r. = M; 

— Each transition (s,a, s') G A induces a tran¬ 
sition from [s]- 7 j to [s']r in An, i.e. An = 
{(Wk.fMr) : {s,a,s’) G A}, and 

— Ln is defined such that Ln([s ]) = L(s) B 

We say that a bisimulation quotient is finite if there are finitely 
many equivalence classes of 1Z, i.e. |S-r,| < oo. 

The proof of the following theorem is immediate from Propo¬ 
sition [6] and Theorem [5] 

Theorem 7: The existence of a finite bisimulation quotient 
for a hybrid Kripke structure imply the decidability of LTL 
model-checking problem. 

IV. Decidable Subclasses of Hybrid Automata 

Given the expressiveness of hybrid automata it is not 
surprising that simple reachability questions are undecidable 
for general hybrid kripke structures. In this section we discuss 
some prominent subclasses of hybrid automata for which 
LTL model checking problem is decidable. In the previous 
section we discussed that showing the existence of a finite 
bisimulation quotient guarantees decidable model-checking. 
Timed automata were among the first hybrid automata shown 
to have decidable model-checking using this approach. We 
begin this section by presenting timed automata and discuss 
this bisimulation known as region-equivalence relation. We 
will also review multi-rate and rectangular hybrid automata 
(Section IIV-Bb that under certain restriction (initialized) re¬ 
cover decidability of LTL model-checking via reductions to 
similar problem on timed automata. Finally, in Section IIV-CI 
we discuss a relatively simple class of hybrid systems, called 
piecewise-constant derivative systems, that capture the essence 
of undecidability and provide references to its variants that 
permit algorithmic analysis. 

3 Observe that the definition of bisimulation ensures that the state labeling 
Ln is well defined. 


A. Timed Automata 

Timed automata, introduced by Alur and Dill ED, El), 
is a popular formalism to model real-time systems. A timed 
automaton is a hybrid automaton where all variables grow with 
a constant and uniform rate (for all variables x£X we have 
that x = 1) and the only jump permitted during the discrete 
transitions is reset to zero. Moreover, the set of predicates 
permitted to appear as guard on transitions is restricted to the 
following kind of octagonal predicates: 

g := x txi c|a; — y ixi c\g A g (4) 

where x, y are clock variables, txiG {<, <, =, >, >} and c G 
N. We write Z(X) for this class of octagonal predicates over 
the set X. Formally, we define a timed automata as a restriction 
of hybrid automata in the following manner. 

Definition 15 (Timed Automata: Syntax): A timed automaton 
is a hybrid automaton T = (M, Mo, E, X, A, /, F, Vo) with 
the following restrictions: 

— the transition relation A C M x pred(X) xSx prcdfA U 
X') x M is such that if (m, g, a, j,m’) G A then 

- the guard g is of the form (Q}. i.e. g G Z(X) and 

- the jump predicate j only permits variable resets to 
zero, i.e. j is of the form 

A x eY{x —0), 

for some Y Cl. We denote such set Y as reset(j). 

— the mode-invariant function I : M —X pred(X) is such 
that for all to G M we have that I{m) G Z(X)\ 

— the flow function F : M— x(Rl x l—is such that for 
all to G M we have that F(m) characterizes: 

A xeX (i = 1), and 

— Vo G pred(A) is the set of initial valuations is such that 

V 0 = A xeX (x = 0). 

The semantics of timed automata and the concept of timed 
Kripke structures is defined is a similar way as for hybrid 
automata. 

Example 10: The hybrid automaton corresponding to the 
job-shop scheduling problem, shown in Figure [8] can also be 
modeled as a timed automaton by requiring that the rates of 
variables X\ and x-i is 1 in all the modes (unlike the current 
example where these clocks are paused in certain modes). 

Example 11: As an example of a timed automaton con¬ 
sider Figure [TT] that models a login protocol using a timed 
automaton. The system starts in the “standby” mode. If the 
user gives a correct password within 60 time-units after giving 
the user name, a connection will be established; if, however, 
the password given is wrong, the system restarts after a delay 
of at least 10 time units. Moreover, if no password is given 
within 60 time units after supplying user name, then the system 
restarts in the standby mode. This system is modeled using a 
timed automaton with five modes and one clock in Figure |TT| 

Alur and Dill ED proposed the notion of region equiva¬ 
lence to define a bisimulation relation over the timed Kripke 
structures (|7J, P, L). We say that two clock valuations v and 
v' are region equivalent, and we write v ~r V, if and only 
if all clocks have the same integer parts in v and and if 
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Fig. 11. A time-sensitive login protocol implemented as a timed automaton 

the partial orders of the clocks, determined by their fractional 
parts in v and t./, are the same. 

Definition 16 (Region Equivalence): Let T be a timed 
automaton and let K be the maximum constant used in the 
guards of T. We say that two clock valuations v and v’ are 
region equivalent, and we write v ~R v' if and only if: 

— either for x £ X we have v(x)>K and v'{x)>K, or 

— for any x,y £ X with v(x),v'(x) < K and 

v(y),v'(y) < K the following conditions hold: 

- \y(x)\ = \y'{x)\, and lu{x)] = 0 iff lv'(x)^ = 0, 

- \y(y )J = W{y)l and Mj/)J = o iff \y\y)i = o, 

- lv(x)\ < lv(y)$ if and only if \v'(x)§ < lv'{y)\, 
where \c j = (c — [cj) represents the fractional part of 

c £ R> 0 . 

It is easy to see that is an equivalence relation. For 
a clock valuation v we write [v\ for the region equivalence 
class of v. Region equivalence relation can be extended from 
valuations to configurations of a timed automaton T in a 
straightforward manner: we say that two configurations (m, v) 
and (vnl , v’) are region equivalent, and we write [(m, v)} = 
[(m 1 , i/)], if and only if m = m! and \v\ = \v'\. 

Alur and Dill fill showed that region equivalence relations 
characterize finite bisimulation quotients for timed Kripke 
structures by showing that the number of equivalence classes 
for a timed automaton (M, Mo, E, X, A, I, F, Vo) are bounded 
from above by |M| • \X\\■ 2^ x \ • ni=| (2.J\T + 2). 

Theorem 8 (MB): Region equivalence relation characterizes 
a finite bisimulation quotient for timed Kripke structures. 

This theorem combined with Theorem [7] proves the decid¬ 
ability of LTL model checking for timed Kripke structures. 
The complexity of LTL model checking was considered by 
Courcoubetis and Yannakakis ED who showed that simple 
reachability problem for timed Kripke structures with three or 
more clocks is PSPACE-complete. Despite the high computa¬ 
tional complexity of verification, algorithms based on region 
equivalence relation coupled with clever data-structures ED 
to symbolically represent sets of regions have been shown to 
perform well in practice on medium-sized applications l95l . 
ED- UPPAAL E6l, KRONOS ESI, and RED El are some 
of the leading tools that can perform timed automata based 
verification. The theory of timed automata has also been 
extended in several directions to allow them to model more 


realistic real-time systems, e.g. real-time systems with cost and 
rewards J73), 11261 . EH, lf88l . ED, uncontrollable nondeter¬ 
minism AH, ESI, OH. 0, ED, ESI, stochastic behavior El, 
El, ED, ESI, ESI, E2, E3, ED, and recursion ED, 0. 

For a detailed overview of these extensions we refer to ED. 

B. Multi-Rate and Rectangular Hybrid Automata 

Multi-rate hybrid automata, introduced by Henzinger and 
Kopke OH, El. El, are a subclass of hybrid automata 
where the dynamics of variables is restricted to constant 
rates. However, unlike timed automata, different variables can 
have different rates, and it can vary among different modes. 
Moreover, during discrete transitions these variables can be 
reseted to real numbers. Also in a multi-rate hybrid automaton 
the set of predicates permitted to appear as guard on transitions 
is restricted to the following kind of rectangular predicates: 


g := c ixi x ixi c, 


(5) 


where a; is a variable, x£ {<, <, =, >, >} and c, c' £ N. We 
write rect(A’) for this class of rectangular predicates over the 
set X. Formally, we define a multi-rate hybrid automata as a 
restriction of hybrid automata in the following manner. 

Definition 17 (Multi-rate Hybrid Automata: Syntax): A 
multi-rate hybrid automaton is a hybrid automaton H = 
(M, Mo, E, X, A, /, F, Vq) with the following restrictions: 

— the transition relation AC M x pred(A') x E x pred(A U 
A'') x M is such that if (m, g,a,j,m') £ A then 

- the guard g is of the form 0, i.e. g £ rect(A') and 

- the jump predicate j only permits variable resets to 
real numbers, i.e. j is of the form 

Ax£Y = Cx ) 

where Y C X and c x £ Z for each x £ Y. We 
denote such set Y as reset(j). 

— the mode-invariant function / : M —> pred(A’) is such 
that for all m £ M we have that J(m) £ rect(A); 

— the flow function F : M— is such that for 
all to £ M we have that F(m) characterize: 

Aa,Gx(*t' — br.m), 

where c x>rn £ Z for each a; £ A; and 

— Vo £ pred(A) is the set of initial valuations is such that 

V 0 = f\ x ^xx = 0. 

The semantics of multi-rate automata and the concept of 
multi-rate Kripke structures is defined is a similar way as for 
hybrid automata. Rectangular hybrid automata ESI, l59l are a 
generalization of multi-rate hybrid automata where within each 
mode the rate of a variable can change non-deterministically 
within a given mode-dependent interval. 

Using a reduction from two counter Minsky machine, one 
can easily show that the LTL model checking problem for 
multi-rate hybrid automata is undecidable. 

Theorem 9 ( ft59V ): LTL model-checking problem for multi¬ 
rate hybrid automata is undecidable. 

We say that a multi-rate (or rectangular) hybrid automaton 
is initialized if it satisfies the property that every transition 
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Fig. 12. An initialized rectangular automaton 


between two modes with different rates (rate intervals, resp.) 
for a variable, resets that variable, i.e. for every transition 
(■ m,g,a,j,m ') G A with F(m)(x) ^ F{m')(x) we have 
x € reset(j). Figure [12] shows an initialized rectangular 
automaton. 

Henzinger et al. f59l showed the decidability of initialized 
rectangular and multi-rate hybrid automata. 

Theorem 10: The LTL model-checking problem for initial¬ 
ized rectangular (multi-rate) hybrid automata is decidable. 
Proof. The decidability of LTL model-checking problem for 
initialized multi-rate automata by reducing the problem to 
similar problem for timed automata by rescaling the rate of all 
variables to one via appropriate adjustment of the constraints 
on the mode invariants and guards in all the transitions. 

To prove the decidability for an initialized rectangular au¬ 
tomaton H r , we reduce the problem to corresponding problem 
for an initialized multi-rate automaton H m . Each variable x 
of H r with rate in the rectangle a < x < b is simulated 
using two variables xi, x u such that xi = a and x u = b. The 
variables xi, x„ keep track of the lower and upper bounds of 
x respectively. With this replacement, the invariant conditions 
of modes, as well as guards and resets on transitions have to 
be adjusted appropriately. For example, if we had a transition 
with guard x < 10, then it is replaced with (i) xi < 10 and 
(ii)x u > 10, x' u = 10. This conversion from initialized rectan¬ 
gular to initialized multirate automata is language preserving. 
Hence, from the decidability of LTL model checking problem 
for initialized multi-rate hybrid automata, the decidability for 
initialized rectangular hybrid follows. ■ 


C. Piecewise-Constant Derivative Systems and Their Variants 

Asarin, Maler, and Pnueli [18] initiated the study of hybrid 
dynamical systems with piecewise-constant derivatives (PCD) 
defined as a partition of the Euclidean space into a finite set 
of regions (polyhedral predicates), where the dynamics in a 
region is defined by a constant rate vector. They defined PCD 
systems as completely deterministic systems where a discrete 
transition occurs at region boundaries, where runs change their 
directions according to the rate vector available in the new 
region. Given the simplicity of such systems, it is perhaps 
surprising that the reachability problem for PCD systems with 
three or more variables is undecidable flBl . In fact, Asarin and 
Maler lfl6l observed that, due to the capability of such systems 
to perform Zeno runs, every set of arithmetical hierarchy (a 
hierarchy of undecidable problems) can be recognized by a 
PCD system of some finite dimension. On the positive side, 
Asarin, Maler, and Pnueli (HD gave an algorithm to solve 
the reachability problem for two-dimensional PCD systems. 
Cerans and Viksna [42] later generalized this decidability 
result to more general piecewise-Hamiltonian systems. We 


also mention the work of Asarin, Schneider, Yovine El who 
extended the decidability result for two-dimensional PCD sys¬ 
tems to a non-deterministic setting of simple planar differential 
inclusion systems (SPDIs) where a number of rate vectors are 
available in each region. 

Kesten, Pnueli, Sifakis, and Yovine (64l also studied another 
variant of constant-rate hybrid systems, called integration 
graphs , that can be considered as a subset of multi-rate 
automaton where no test of non-clock (integrator) variables 
is allowed to appear on a loop. Kesten et al. (641 showed 
the decidability for the two subclasses of integration graphs: 
the class with a single clock variable, and the class where 
integrators are tested only once. 

Recently, Bouyer et al. |35|] introduced timed automata 
with energy constraints, that can be considered as multi-rate 
automata with a single non-clock variable (energy variable) 
that does not appear on guards, and showed decidability of 
schedulability problem where the energy variable is required 
to be greater than a given lower-bound. Bouyer, Fahrenberg, 
Larsen, and Markey (341 later generalized this result to give 
an EXPTIME algorithm for a subclass where energy variables 
can grow exponentially. 

Alur, Trivedi, and Wojtczak recently studied constant-rate 
multi-mode systems fl~3l . that can be considered as multi-rate 
automata with the exception that there is no structure in the 
automata, i.e. any mode can be used after any other mode, and 
there is only a global invariant over variables. They showed 
that reachability and schedulability problems for these systems 
can be solved in polynomial time for starting states strictly 
inside the global invariant space. Alur, Trivedi, and Wojtczak 
also showed that introducing either local invariants or guards 
make the reachability problem undecidable. Alur et al. Cl 
later studied this problem on a generalization of constant-rate 
multi-mode systems to bounded-rate multi-mode system and 
showed the decidability of the schedulability problem. 

V. Summary 

In this article we presented hybrid automata for model¬ 
ing and formal verification of cyber-physical systems. We 
begin by showing how hybrid automata naturally combine 
features from continuous dynamical systems and discrete 
finite state machines, and provide an elegant and expressive 
model. This expressiveness, however, comes with a price—the 
simple reachability problem for simple subclasses of hybrid 
automata, like piecewise-constant derivative systems, turned 
out to be highly undecidable. We discussed a general approach 
of finding finite bisimulation quotient to show decidability 
of subclasses of hybrid automata, and sketched the proof 
for the decidability for two key subclasses: timed automata 
and initialized rectangular hybrid automata. Hybrid automata 
provide an intuitive and semantically unambiguous way to 
model cyber-physical systems. These formalisms provide a 
rich theory and a mature set of tools, UPPAAL 1%1 . Kro- 
nos & RED (89i, HyTECH (60), and PH AVer (86), able 
to perform automatic verification of systems modeled using 
them. A growing number of case-studies using these tools have 
shown depromise in extending the state-of-the-art to industrial¬ 
sized examples. 
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